Cyber Resilience

CVE-2013-3897

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 October 2013

Published
09 October 2013
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8821 99.5th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-3897 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a use-after-free flaw (CWE-416) in the CDisplayPointer class within mshtml.dll that affects Microsoft Internet Explorer versions 6 through 11. It is triggered when crafted JavaScript code leverages the onpropertychange event handler, resulting in memory corruption that can be leveraged for remote code execution or denial of service. The issue carries a CVSS 3.1 base score of 8.8.

Remote attackers can exploit the flaw by serving malicious web content that executes the crafted JavaScript in a victim's browser. Successful exploitation grants arbitrary code execution in the context of the current user or causes a crash, and the vulnerability was observed being exploited in targeted attacks during September and October 2013.

Microsoft Security Bulletin MS13-080 and the associated US-CERT alert TA13-288A address the issue as part of a cumulative update for Internet Explorer, noting that the attacks observed were limited and targeted. The bulletin recommends applying the patch to affected systems and highlights defense-in-depth measures such as enhanced security configuration for Internet Explorer.

The vulnerability was publicly disclosed after real-world exploitation had already occurred, underscoring the importance of timely patching for legacy browser versions still in use.

EU & UK References

Vulnerability details

Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler,…

more

as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 6, 7, 8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the MS13-080 cumulative update that eliminates the use-after-free flaw in mshtml.dll.

prevent

Restricts or filters mobile code (JavaScript) execution in the browser, blocking the onpropertychange handler vector used to trigger the vulnerability.

prevent

Enforces least functionality by disabling unnecessary IE scripting features or running IE in a reduced-capability configuration, limiting exposure to the crafted JavaScript payload.

References